Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By qblack1 on
My site has been comprimised. Intermittent placement of many pages of spam links to the bottom of my index.php file
Effect is for every page from the site to have this mega spam link at the bottom.
This in effect kills the rss feeds for my podcasts.
I just replace that file with a clean version and I'm back in business for a day or two. I usually catch it quickly.
Trying to figure out how they are doing this. I believe my site is secure at this point.
I surmised that there was a script placed somewhere without my knowledge.
I just found something peculiar in the /temp folder. Is the file "script.php" supposed the be in the /temp folder?
Has a single line in it:
<?php eval(gzinflate(base64_decode('fY9Bas.... then it goes on for a thousand characters or so
Any ideas? Should this be there? Is this the source of my intermittent hack?
Please excuse my lack of knowledge if this is an essential php file for drupal.
Greatly appreciate any help
Comments
If you have a local copy of
If you have a local copy of the site, compare it with the one that's online and look for any discrepancies. Delete said discrepancies.
If the /temp folder in question is not one that drupal makes, make a copy of the file in question, then delete it and find out if you actually need it or not :)
And change your password if you haven't done so already.
Good luck, hope it's something a lot easier than stupid script kiddies :P
works at bekandloz | plays at technonaturalist
here you go
One google search
http://danilo.ariadoss.com/computers-and-internet/2006/jan/decoding-eval...
If you ever suspect your site has been compromised....
1. Backup your files and database.
2. Figure out if you have been compromised.
If you have, time to rebuild.
From the descrption it sounds more like spyware....Not a Drupal exploit. You'll need some more research.
Make sure you are on the latest Drupal point release... Make sure you sign up for the Security newsletter. If running windows, don't surf from your server. Make sure your system is patched with Windows Update. Make sure you have up to date anti-virus. Make sure your firewall is up to date and locked down to only needed ports. Make sure your webserver is up to date.
Lots to do.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide